Bug 682119

Summary:	ipa-join fails with subordinate CA
Product:	[Retired] freeIPA	Reporter:	Erinn Looney-Triggs <erinn.looneytriggs>
Component:	ipa-client	Assignee:	Rob Crittenden <rcritten>
Status:	CLOSED NOTABUG	QA Contact:	Chandrasekar Kannan <ckannan>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	2.0	CC:	benl, dpal, jgalipea
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-03-07 18:07:56 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Erinn Looney-Triggs 2011-03-04 08:12:19 UTC

Description of problem:
Near as I can figure (this worked when the CA was not subordinate) when running ipa-client-install with an IPA server that is a subordinate CA, install fails with the following error: Operation failed! unsupported extended operation
child exited with 9

Let me know what other information I can get to you.


Version-Release number of selected component (if applicable):
ipa-client-2.0-9.el6.x86_64


Additional info:

ipa-join -s ipa.foo.com -d
XML-RPC CALL:

<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>sb.foo.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-71.18.1.el6.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n

XML-RPC RESPONSE:

<?xml version='1.0' encoding='UTF-8'?>\n
<methodResponse>\n
<params>\n
<param>\n
<value><array><data>\n
<value><string>fqdn=sb.foo.com,cn=computers,cn=accounts,dc=foo,dc=com</string></value>\n
<value><struct>\n
<member>\n
<name>dn</name>\n
<value><string>fqdn=sb.foo.com,cn=computers,cn=accounts,dc=foo,dc=com</string></value>\n
</member>\n
<member>\n
<name>ipacertificatesubjectbase</name>\n
<value><array><data>\n
<value><string>O=FOO.COM</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>objectclass</name>\n
<value><array><data>\n
<value><string>ipaobject</string></value>\n
<value><string>nshost</string></value>\n
<value><string>ipahost</string></value>\n
<value><string>pkiuser</string></value>\n
<value><string>ipaservice</string></value>\n
<value><string>krbprincipalaux</string></value>\n
<value><string>krbprincipal</string></value>\n
<value><string>top</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>fqdn</name>\n
<value><array><data>\n
<value><string>sb.foo.com</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>ipauniqueid</name>\n
<value><array><data>\n
<value><string>15b4ad20-4636-11e0-b5b2-f04da2090ae0</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>krbprincipalname</name>\n
<value><array><data>\n
<value><string>host/sb.foo.com</string></value>\n
</data></array></value>\n
</member>\n
<member>\n
<name>managedby_host</name>\n
<value><array><data>\n
<value><string>sb.foo.com</string></value>\n
</data></array></value>\n
</member>\n
</struct></value>\n
</data></array></value>\n
</param>\n
</params>\n
</methodResponse>\n

Operation failed! unsupported extended operation
child exited with 9
Certificate subject base is: O=FOO.COM

Comment 1 Rob Crittenden 2011-03-04 14:52:00 UTC

What is the rpm version of the IPA server you are trying to join?

The OID for the join extended operation changed so older clients will not work with newer servers.

Comment 2 Erinn Looney-Triggs 2011-03-04 16:51:23 UTC

freeipa-python-2.0.0.rc2-0.fc14.x86_64
freeipa-client-2.0.0.rc2-0.fc14.x86_64
freeipa-server-2.0.0.rc2-0.fc14.x86_64
freeipa-admintools-2.0.0.rc2-0.fc14.x86_64
freeipa-server-selinux-2.0.0.rc2-0.fc14.x86_64

Comment 3 Erinn Looney-Triggs 2011-03-07 08:52:46 UTC

What is interesting about this is that this same client with this same version of ipa-client-install worked with rc1 and the beta versions, so did something change in rc2 that made it incompatible? If not than it is probably the subordinate CA that is causing the issue because that is the only change I have made on my end of things, without subordinate CA worked, with failed. 

-Erinn

Comment 4 Rob Crittenden 2011-03-07 16:12:59 UTC

Yes, the OID for the join extended operation changed so pre rc2 clients won't work with rc2 servers. It is unrelated to any other changes you made.

Comment 5 Erinn Looney-Triggs 2011-03-07 18:07:56 UTC

Alright, sounds like this isn't really a bug then.